Security and privacy in mobile environments

Abstract

The number of smartphones is constantly increasing and they have become a central part of our lives. A big role for their success is the large number of available applications. While these applications open up a lot of opportunities for their users, they can also pose risks. With the amount of available applications, it is inevitable that they also include bad quality software. While these applications may not pose a direct risk to the device itself, many of them are communicating to some kind of back-end server on the internet. Furthermore, "free" applications often include some kind of advertisement, which needs to be loaded from a server again. We analyze the existing ecosystem of third party tracking in web and mobile applications and evaluate defenses according to their effectiveness in blocking tracking efforts. We show that there is still a lot of information transmitted in clear text, without the use of Transport Layer Security. In addition, even when TLS is used, this tracking information can still be used by attackers for certain kind of attacks. Based on our findings, we propose different approaches to protect user privacy and security. Specifically, we explore notary-based validation schemes for certificate validation and provide a longitudinal study of certificate validation capabilities of available notary services. Mobile apps already employ certificate pinning to prevent interception attacks. However, the application still needs to be updated when the corresponding certificate changes. We therefore provide an on-device certificate pinning solution, which utilizes notary services to update pinned certificates automatically and transparently for the user. Finally, we evaluate existing Android malware analysis platforms and provide metrics on the effectiveness and inter-dependencies of these services. This allows security analysts to select the best fitting system or subset of systems to accomplish their analysis task.